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Secure communication requires message authentication. In this paper we address the problem of 
how to authenticate quantum information sent through a quantum channel between two commu- 
nicating parties with the minimum amount of resources. Specifically, our objective is to determine 
whether one elementary quantum message (a qubit) can be authenticated with a key of minimum 
length. We show that, unlike the case of classical-message quantum authentication, this is not 
possible. 

PACS numbers: 3.67.Dd, 03.67.Hk, 03.67.Lx. 



I. INTRODUCTION 

Cryptography deals about communication in the pres- 
ence of adversaries and one of its fundamental goals 
is to provide message authentication (also called data- 
origin authentication) Q. This is a process whereby a 
party is corroborated as the original source of some spec- 
ified data created, transmitted, or stored at some time 
in the past. To assure message authentication, one then 
must have the ability to detect any data manipulation 
by unauthorized parties. This is particularly important 
in public-key cryptography, in which users must be con- 
fident about the authenticity of the public-keys of the 
partners involved in the communication. 

Classical cryptography provides data-origin authenti- 
cation by means of two general techniques: message 
authentication codes (MACs) and digital-signature 
schemes Q. In both cases, the authentication process 
is specified by two algorithms: an encoding, or tagging 
algorithm (possibly stochastic), and a decoding or ver- 
ification algorithm. When the sender (Alice) wishes to 
send a certified message to a recipient (Bob), she gener- 
ates, employing the encoding algorithm, an authentica- 
tion tag or a signature (in both cases a function of the 
message and a secret encoding-key) and appends it to 
the message before actually sending it. Notice that this 
tagged-message may be sent in the clear; the authen- 
tication problem is, therefore, very different to the one 
associated to encryption since no secrecy is necessary for 
secure message authentication. On the reception side, 
Bob verifies the authenticity of the message by means of 
the specified decoding procedure, which depends on the 
message, the tag, and a decoding-key. This algorithm 
returns a bit indicating when Bob must regard the mes- 
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sage as authentic, and accept it as coming from Alice, 
and when he must discard it. The basic requirement is 
that the tags, which are produced by the encoding algo- 
rithm, be accepted as valid by the verification algorithm 
when a decoding-key corresponding to the encoding-key 
is used on the tagging procedure. When a message au- 
thentication scheme fulfills this requisite it is said that it 
provides perfect deterministic decoding. 

Choosing between MACs and digital-signature 
schemes depends on the communication context. 
Typically, MACs are employed when the receiver is 
predetermined at the time of message transmission, 
and the decoding-key he owns, which can be equal to 
the encoding-key, is secret. In signature schemes, on 
the contrary, the decoding-key is public, and therefore 
known also to the adversary (Eve); this fact guarantees 
that anybody can verify the authenticity of data (univer- 
sal verification), and that Alice cannot later repudiate 
having signed the message, since no one but she owns 
the encoding-key. 

Although several information-theoretic secure MACs 
have been proposed (see, e.g., ||), the security provided 
by signature schemes depends on unproven assumptions 
related to the intractability of certain difficult math- 
ematical problems, such as the prime-factorization of 
large numbers |{| or the discrete-logarithm computation 
Unfortunately, if a quantum computer is ever built, 
Shor's quantum algorithms could break classical sig- 
nature schemes easily, i.e., in polynomial time. 

The use of quantum resources in user authentication 
has been proposed before in QKD scenarios [|| g|. More 
recently, several proposals of general message authentica- 
tion using quantum resources have been made. Gottes- 
man and Chuang JTo| have proposed a quantum version 
of classical digital-signature schemes. Their technique re- 
quires limited circulation of the public key, but it allows 
unconditionally secure authentication of classical mes- 
sages. A disadvantage of this protocol, as stated by the 
authors, is that it requires several non-reusable key-bits 
for each message-bit signed. Leung Oj, in another re- 
cent paper, also studies quantum message authentication. 



2 



Her protocol requires a two-way classical channel between 
partners, thus making the overall security dependent on 
the security of that channel. In a previous article |Q 
some of us proposed a class of quantum authentication 
protocols that allow secure authentication of classical bi- 
nary messages with one bit as the authentication key. 
This improves the efficiency of classical MACs, that re- 
quire, for the authentication of binary messages, at least 
two-bit keys. In this paper we adapt this class of proto- 
cols to the authentication of quantum messages (qubits), 
and study its security. We show that, using the amount of 
quantum resources needed to authenticate one-bit classi- 
cal messages, the intrinsic nature of quantum information 
makes it impossible to detect every unauthorized quan- 
tum data manipulation by a potential adversary, thus 
making qubit authentication not possible. 

The paper is organized as follows. In Section II we de- 
scribe a general class of one-qubit message authentication 
protocols. This class can be seen as a generalization of 
the one presented in m2\ to authenticate classical binary 
messages. In Section ffn we analyze the security of these 
protocols against several attacks. First, we analyze the 
no-message attack, in which the sender has not initiated 
the transmission (there is no message in the channel) , and 
Eve attempts to prepare a fake quantum message with 
the intention of passing Bob's verification test. Then, 
we study more subtle attacks, those in which Eve has 
access to what is transmitted. After studying all these 
attacks we show that it is not possible to keep the failure 
probability of the authentication protocol below one. 



II. QUANTUM MESSAGE AUTHENTICATION 

Suppose Alice needs to send a certified quantum mes- 
sage to Bob. The goal is to make Bob confident about the 
authenticity of the message and sender. For the sake of 
simplicity, let us assume that the state to send certified is 
an arbitrary qubit described by the density operator pj^ 
operating on some two-dimensional message space M.. 
This qubit may be locally generated by her, or she may 
be acting as a relay station between two other parties. 
In order to certify this message, Alice follows the stan- 
dard procedure in classical authentication: She appends 
a tag to the message in such a way that the recipient, 
Bob, may verify the tag and so convince himself about 
the identity of the message originator. The difference 
with respect to the classical case is that now the tag is 
also a quantum state, given by the density operator pq-, 
of some tag space T. Therefore, the quantum tagged- 
message is described by the operator pg = pm ® pr that 
acts on the state space £ = A4 (£> T. Since our objective 
is to determine whether authentication is possible with 
the minimum amount of resources, we shall regard T as 
a two-dimensional space. Although this might seem a 
strong restriction, it can be shown that having a bigger 
tag does not improve the security of the protocol, at least 
when dealing with an ideal, error-free quantum channel, 



as is the case considered here. In a noisy channel, a big- 
ger tag space would certainly be useful in the detection 
of errors in the channel that might alter the message, in 
the way Quantum Error Correcting Codes (QECC) usu- 
ally work. We shall return to this point with more detail 
later, at the end of Section III. Finally, since we are inter- 
ested in perfect deterministic decoding, valid and invalid 
tags must belong, respectively, to orthogonal subspaces 
in T, but, since one cannot find orthogonal mixed states 
in a two-dimensional space (T), pq- must be a pure state, 
namely pr — |0)(0|r- 

No authentication is possible without a previously 
shared secret between the two communicating parties. 
This key, which may have been exchanged directly or 
by means of a trusted third party (a certification au- 
thority), can be a classical or a quantum one. In our 
proposal we shall assume that Alice and Bob share a 
maximally entangled quantum state as their secret au- 
thentication key. For instance, each of the parties could 
own one qubit of a publicly-known singlet state \ip) ab — 
-^{\^)ab ~ \^)ab)- It can be argued that, in a real- 
istic scenario, dealing with classical keys would be more 
advantageous. In fact, our protocol can equally operate 
with one-bit classical keys. However, we prefer the use of 
quantum keys for their better key-management proper- 
ties — no copying of the key remains undetected if extra 
quantum key is included for this check. 

The main difference between authenticating a classical 
message and a quantum one resides in the nature of p^ . 
If pm is a quantum message, it belongs to the continuous 
space of density operators acting on M.. Since Alice may 
act just as a relay station, we shall assume that pm is 
unknown to her. In the classical case, there are only two 
classical messages to send, '0' or T'. To encode them un- 
ambiguously Alice and Bob need to agree on a particular 
orthonormal basis of A4, {\0)m, \^)m}, so pm would be 
restricted to be either |0)(0|» or 1 1) (1 - This decision 
can be made openly, adding no more secrecy between the 
parties. 

According to the notation introduced above, the state 
of the global system (key+tagged-message) is given by 



Pabs = \i/j)(i/>\ab® Pe = \iP){i/j\ab ®Pm ® |0)(0| T - (1) 

Next Alice performs, on her part of \iP)ab and on the 
tagged-message, an encoding operation Eae- We may 
write this unitary operation in the general form: 



E A£ = 



If + |l)(lU®*7 f , 



(2) 



where U$ is some arbitrary unitary quantum operation 
on £. Basically, the action of Eae is equivalent to the 
selection, triggered by the state of a one-bit key, of one 
operator from an arbitrary pair of publicly-known uni- 
tary ones (in our case, If and Ue ). Once this operator is 
selected, it is applied to pg before sending it through the 
quantum channel. The reason to enforce the unitarity of 
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these two operators is that it allows Bob to easily undo 
their action. But this is not the only way in which per- 
fect deterministic decoding can be achieved. As shown 
in jn| [HJ [^], more general quantum operations, such as 
trace-preserving completely-positive (TPCP) maps, can, 
under certain circumstances, be reversed, and, therefore, 
used in E A£ instead of Is and Us- However, for sim- 
plicity in the formalism we limit ourselves to the case of 
unitary operators. 

If we denote by p e AB s the density operator describ- 
ing the state of the global system after the encoding 
operation, i.e., p AB£ = EasPabsE A£ , then the state 
of the tagged-message that Alice sends to Bob through 
the quantum channel between them is given by pf = 
tr^s (Pabs)' where p AB s, making use of (||), can be writ- 
ten as 



Alice to Bob, Eve attempts to prepare a quantum state 
that passes the decoding algorithm. The message attack 
is more subtle and severe: Eve could access the authentic 
messages transmitted, and try to produce a forged mes- 
sage based on the information gained. In the following 
discussion we shall show how, unlike the case of authen- 
tication of classical messages jl2], when dealing with a 
one-qubit message it is impossible to select a unitary op- 
eration Us that makes all Eve's possible attacks unsuc- 
cessful. We find necessary conditions for the probability 
of successful forgery by a no-message attack (in section 
IIIA), and by a measurement attack (in section IIIB-1), 
to be less than one. Then in section IIIB-2 we show that 
under these conditions, there exists another attack, con- 
sisting of a unitary operator applied to the message and 
tag system, that succeeds with probability one. 



Pass = g (\01){01\AB®Pe + \W)(W\AB®UepeUt 

- \01){lO\AB®PsUl-\lO)(01\AB®U e pe) -(3) 

From this expression, it is easy to obtain the tagged- 
message in the channel: 

P% = \{P£ + U £ p £ Ul). (4) 

On the reception side, Bob decodes the information 
sent by Alice performing the unitary decoding operation 



A. No-message attack 

Suppose that Eve prepares some quantum state p £ G £ 
and sends it to Bob trying to impersonate Alice. When 
Bob receives this quantum message he cannot know that 
it comes from a forger, so he follows the procedure ex- 
plained in the previous section: He performs the decod- 
ing operation D B£ and then an orthogonal measurement 
{|0)(0|r, |l)(l|r} over the tag space. Before all this takes 
place, Bob 'sees', as the encoded global state, the density 
operator p AB£ = \ip){ip\AB ® Pe- After Bob's decoding, 
the tagged-message is given by 



D B£ = |0)(0| B t^ + |l)(l| B l f 



(5) 



on his qubit of the singlet and the tagged-message re- 
ceived: p d AB£ = D B £P AB£ D B£ . Using (||) and (||) in this 
equation one can easily calculate the decoded tagged- 
message as p £ = ^ab(Pabs) — P£- Finally, Bob verifies 
the state of the tag: He performs the orthogonal mea- 
surement {|0)(0|r, |l)(l|r} over the tag-portion of pf, 
where |l)r is the state in T orthogonal to the tag |0)t- 
If the result of such a measurement is \0)t, Bob should 
assume that no tampering has taken place, and therefore 
extract the quantum message sent to him; otherwise, he 
rejects the message received. 



III. SECURITY ANALYSIS 



Pi 



t*AB \P A BS) 



P E s 



(6) 



where p d AB£ = D B£ p e AB£ D B£ . As we have seen, Bob 
rejects the message if the result of his orthogonal mea- 
surement on T is |1)t; therefore, the probability Pf that 
Eve deceives Bob is: 



Pf 



(0\ti M 



pf 



U\p E £ U £ 



(7) 



This quantity depends both on Eve's strategy — her se- 
lection of p £ — and on the quantum operation Us- She 
will succeed with probability one if she chooses a p £ that 
satisfies 



In the previous section we have claimed that the pro- 
posed tag-based quantum authentication protocol pro- 
vides perfect deterministic decoding. This means that 
the protocol would fail only if Bob accepted a message as 
an authenticated one when that is not the case (due to 
the unnoticed action of Eve). When dealing with forgery 
strategies we must consider two main types of attacks: 
The no-message attack, and the message attack The 
first one is the simpler: Before any message is sent by 



tx M (pf) = |0)<0| r , (8) 

and 

tx M (ulpfUs) = |0)(0|r. (9) 

In order to check whether Eve succeeds, let us first 
consider the case in which she prepares a pure state 
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pf = \<j>){4>\ e . The conditions (|) and 
then be rewritten as 



tr M (|0)(^| £ ) = |O)(O|r, 



above can 



(10) 



and 



tv M {ul\4>){<i>\ £ Ue) =|0)(0|r, (H) 

respectively. From equation ([To]) we conclude that Eve 
should choose \<f>)g — \iP)m ® |0}r, with hMjw any pure 
state in M. When this result is used in (p]), then 



= ® |0)r (12) 

should also be satisfied, where is some pure state 

in M. 

Without loss of generality, let us write Us in the form 



Us=J2 uy®mk 



(13) 



where the Uj, with i,j = 0,1, act on Ai. With this 
notation, condition ( |T^ ) requires C^oi I V J ) J vi = 0, i.e., the 
operator Uqi must be singular. Therefore, if Alice and 
Bob select a unitary operation Us such that Uqi is non- 
singular, then Pf < 1 for any pure state prepared by 
Eve. 

What if Eve prepares a general mixed state pjf? Any 
mixed state in £ can be spectrally decomposed as pf = 

X)i=o^»l0i)(&l£> wnere < Ai < 1, X^ i=0 A 4 = 1, and 
{4>i\4>j)s — « , J = , • • • , 3 . When this decomposition 
of pg is used in (||) and (^), these equations are trans- 
formed into a problem equivalent to the one posed by 
equations ( |Io| ) and (|i"l|). Therefore, also in this more 
general case we can assure the result Pf < 1. In fact, we 
can further show that, with the appropriate selection of 
Us, Pf can be made at most 1/2. As we have seen, Pt 
can be written as 

P f = (0\tr M (p d £ ) |0) T , (14) 

with pf = (^pf + UgPgUs^j /2. Defining the projector 

P = |00)(00| £ + 1 10> <10|f , Pf = tr(pgP). Using the 
properties of the trace operator, 



P f = tr (pfQ) /2, 



(15) 



where Q = UgPUg + P is a positive operator known to 
Eve, and with maximum eigenvalue X max > 1- Therefore, 
the maximizing pf is any eigenvector corresponding to 
^max, and thus Pf = X max /2. Finally, it is easy to see 
(see, e.g., fl6||) that choosing Us such that it takes P to 
its orthogonal complement makes X m ax = 1, and then, 
as predicted, Pf = 1/2. 



B. Message attack 

This is a more subtle and severe family of attacks. In- 
stead of directly forging a quantum message and send it 
to Bob, Eve could wait for Alice's message and manipu- 
late it. Proceeding this way she tries to convert authen- 
tic messages into others with high probability of passing 
Bob's test. 

In order to simplify the analysis, and without loss of 
generality, we shall distinguish between two types of mes- 
sage attacks. In the first one, Eve tries to extract infor- 
mation, by means of the appropriate measurement of the 
message in the channel, that allows her to prepare a dif- 
ferent message that Bob regards as authentic. In the sec- 
ond class of attacks, Eve does not care about the current 
message in the channel. Instead, based on the knowledge 
of all the public aspects of the quantum authentication 
scheme used, she determines a quantum operation and 
applies it to any data sent by Alice. This quantum oper- 
ation can be described by a TP CP map. 



1. Measurement 

According to equation (Q), the information to which 
Eve has access is 



P% = 2 [Am 



t + U £ (pm®\0)(0\t)uI}. (16) 



Since Eve knows how the protocol works, she could get 
information about the key if, performing the appropri- 
ate measurement on the channel, she could perfectly dis- 
tinguish between the two terms on the right-hand side 
of (16). If Eve managed to achieve it, she would col- 
lapse the state of Alice and Bob shared-key in a known 
unentangled pure quantum state, so she could throw 
away the authentic message and prepare and send to 
Bob a new one that would pass his test. Because Eve 
does not know which quantum message, pm, has been 
sent, the only way to discern between the two terms 
is by means of their tag-portions. Therefore, in or- 
der to make this strategy successful, the states |0)(0|r 



and tr_A4 



U £ (pm®\0)(0\t)U. 



tinguishable, i.e., 



must be perfectly dis- 



(0\tr M [Us (pm ® |0)(0|r) t/JJ |0) T = 0. (17) 

Making use of the s pectra l decomposition of pm (see our 
reasoning in Section III A), the requirement above can be 
alternatively written, without loss of generality, as 



tr.M (Ue\4>){<f>\ M ® |0)(0|rt/f) = |l)(l|r, (18) 



where \4>)m is any state in M.. Equation ([lj) is satisfied 
when Us (|^)vw ® |0)r) = W)m ® |1)t, where \oj)m is 
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some state in M.. Follo wing a procedure parallel to the 
one employed in Section III A , we obtain the requirement 
that Uqo must be singular. Therefore, if Alice and Bob 
select an operation Us such that Uqo is nonsingular, Eve 
cannot infer from her measurement the necessary infor- 
mation about the key. 



2. TPCP map 

Consider that Alice sends to Bob a quantum tagged- 
message ps- If no eavesdropping takes place, the state 
in the channel is given by But, assume now that 
Eve has the power to perform an arbitrary TPCP map, 
$, on the tagged- message sent. Eve wants to choose $ 
such that the decoding procedure performed by Bob on 
the resulting state led to any state not equal to pm while 
the tag remains in the state \0)t- 

The global state resulting from Bob's decoding 
operation after Eve's TPCP mapping is Pabs ~ 

d b£Pabs d be' where Pabs = $ (Pabs)> with Pabs S iven 
by (ra). The tagged- message decoded by Bob is 



PS = tiAB (Pabs) = ~ 



${ps) + U £ $ 



(Uspe 



ut)u £ 



(19) 

The probability of Bob's accepting the message as a valid 
one is Ptpcp = (0|tr» (p^) |0}r- Clearly this probabil- 
ity is one if and only if txj^(p'g) — |0)(0|r, which means 
that the conditions 



tr^ [$ {ps)] 
Ul$ (UsPzUl) Us 



|0)(0|r, 
|0)(0|r, 



(20) 
(21) 



must be simultaneously satisfied. In order to check 
whether Eve succeeds, let us first consider the most sim- 
ple case of TPCP, that in which she performs a unitary 
operation As- Using again the spectral decomposition 
°f Pm (see, again, our reasoning in Section III A), the 
conditions above can be alternatively written as 



tVM 



A £ (|<^| M ®|0)(0| T )4J = |0)(0| T , (22) 
Bs{\4>){4>\m®\Q){U\t)bI] = |0)(0| T , (23) 



where \4>)m is any state in Ai, and Bs — UgAsUs- Then, 
it is straightforward to see that, in order to fulfill ( p2| ) and 
(B3T), Eve needs to choose a unitary operation such that 



A £ = ^2 An <g> \i)(i\r, 

i=0 

i 

B £ = ^B u ®\i){i\ T , 



(24) 
(25) 



where the An and Bu, i = 0, 1, are some unitary opera- 
tions on the state space M. . Since Bs and As are related 
by Bs = U^AsUs, we can arrange equations ( p4[ ) and 
(p5|) in matrix form and write 



A 00 
A n 



Boo 
B n 
(26) 

According to our formulation of the problem, Eve would 
succeed in her attack if, given the unitary operator Us, 
she could always find two unitary operators As and Bs 
such that UsBs = AsUs- Of course, the trivial solution 
As = Bs = Is (Eve does not modify the state of the 
tagged-message) is discarded. 



In Section III A we have shown that Alice and Bob 



i=0 



can avoid Eve's forgering of me ssages i f Uoi is nonsingu- 
lar. In a similar way, in Section IIIB 1 we have seen that 
Alice and Bob can prevent Eve from gaining critical in- 
formation about the key by way of measurement if Uqo is 
also nonsingular. If we assume now that these conditions 
hold, i.e., that Uqo and Uqi are nonsingular, then it can 
be shown, using the unitarity of Us, that U\o and Un 
are then also nonsingular. Under these conditions, as we 
show in Appendix |A|, the equation UsBs = AsUs has al- 
ways (for any Us) the prescripted solution, and Eve can 
always be successful in her attack. This unconditional 
success of Eve's attack makes unnecessary to consider 
the more general case of a TPCP map. 



C. Discussion on the structure of the tag space 

Let us now briefly explain why increasing the dimen- 
sion of the tag space does not affect any of the arguments 
considered in this section. 

As seen by Eve, the key shared by Alice and Bob 
controls whether the quantum state in the channel be- 
longs to the two-dimensional subspace spanned by the 
vectors {|0)jh |0}r, |1)vw|0)t} or to the one spanned by 
{Us (|0)ai|0) t ) ,U £ (\1) m \0)t)}, so there are two alter- 
native coding subspaces for the valid quantum messages. 
All the conditions the unitary operator Us has to fulfill 
in order to avoid Eve's attacks can be geometrically in- 
terpreted as conditions on the relative position between 
these two code subspaces of the four-dimensional space 
£ . For instance, in order to avoid the success of the no- 
message attack, as stated by the conditions (||)-(||), the 
subspaces must span £. On the other hand, in order to 
avoid the measurement attack, condition (p7|), both sub- 
spaces must be non-orthogonal. As for the unitary at- 
tack, we have seen that Eve can always fulfill conditions 
(pi|)-(|25|), i.e. she can always find a unitary operator act- 
ing on £ such that it leaves invariant both subspaces at 
the same time, independently of their relative position, 
and rotate the vectors within in a non trivial way. 

If the dimension of T is increased, the dimension of 
the space £ also increases (say to N, with N > 4), 
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but if the valid tag state is still some particular state 
0)7- = |0---0}x, the dimension of the two alternative 
code subspaces will remain equal to two. Thus we are 
just embedding the problem in a larger space, but not 
changing its intrinsic complexity: In a A-dimensional 
space Alice and Bob would still be able to choose two 
two-dimensional code subspaces neither linearly depen- 
dent nor orthogonal, and Eve would still find a unitary 
nontrivial operator in U (N) whose restriction to the par- 
ticular four-dimensional space containing the two codes 
leaves both codes invariant. 

One may also consider what would happen if we al- 
lowed the tag state to be a mixed, pr, rather than a 
pure state. According to our protocol, in order to have 
perfect deterministic decoding, the tag should belong to 
any subspace of the tag space (so that Alice an Bob could 
perfectly distinguish between valid or invalid messages). 
When measuring a mixed state one can obtain any state 
belonging to the subspace the mixed state has support 
on (with a certain probability, given by the spectral de- 
composition). Consequently, when Bob verifies the tag, 
he will consider as valid any result giving a state inside 
that subspace, and will discard the message if the result 
lays in the orthogonal complement. Since the dimension 
of the two distinct code subspaces increases, things are 
slightly more complicated when the tag is not pure. Let 
n < N be the dimension of the valid code subspaces, and 
let us see whether we can generalize conditions 
and @-(H). 

Generalization of conditions (p|-(^|) above is achieved 
if and only if, for some state p§, the states trx (ps) 

and tTM {u^pfU^j belong to the valid tag subspace. 
But, as argued above, this can be avoided by Alice and 
Bob choosing an operator Us such that the block of U £ 
transforming states from the valid tag subspace to the 
invalid one (the analogous to U^ in Jl3|)) is nonsingular. 
Note that if n < N/2 this block is not a square operator, 
and nonsingular means with trivial kernel. Note also that 
choosing n > N/2 (a subspace of valid messages bigger 
than the invalid one) is insecure, since there would always 
be vectors of the valid subspace transformed into the null 
state by that block, and so Eve would be successful in the 
no- message attack with probability one. 

Generalization of equations ([l7])-([l8]), related to the 
measurement attack, is achieved if and only if the state 

tr.M Ug (pm eg) pr) Us belongs to the invalid tag sub- 
space. But again this can be avoided choosing Us such 
that the equivalent to block {Too (now a n 2 -dimensional 
block operator, transforming states within the valid tag 
subspace) is nonsingular. 

But the crucial fact is that Eve can still fulfill condi- 
tions (pi|)-(p5|), i.e., there is always a nontrivial unitary 
operator leaving invariant the two code subspaces. To 
see this, note that the generalization of equations (|2p|)- 
( p3| ) is obtained by simply imposing that the states in 
the left-hand side of those equations belong to the valid 
tag subspace. Then equations (pi|)-((2l) would have the 



same form, apart from the fact that now Aqq, £?oo and Uqo 
would represent Tridimensional operators, An, Bn and 
Un (N — ?i) 2 -dimensional ones, Uqi a n x (N — n) opera- 
tor, and Uio a (N — n) x n one. The solutions for Aqq and 
An gi ven i n the appendix equally hold if n — N/2 (equa- 
tions ( A4)-( |A5| ) are exactly the same, all the blocks are 
square operators, and we can invert them). If n < N/2 
then we are just embedding a 2n < N problem into a 
larger ./V-dimensional space, and thus the solution of the 
intrinsic problem still exists. 

The fact that increasing the dimension of T does not 
improve the robustness of the protocol may surprise the 
reader familiar with Quantum Error Correction Codes 
(QECC). In these codes more qubits of tag are added to 
protect against more errors. But note that the nature of 
the errors considered is statistical, i.e. they are randomly 
generated by the noise in the channel. In QECC the effi- 
ciency of the correction capability lays on the assumption 
that statistical errors on a large number of qubits are less 
likely than those on a small number. The errors consid- 
ered here, arbitrary unitary actions on the space £, do 
not belong to this category. 



IV. CONCLUSION 

Providing message authentication is one of the main 
goals of communication security. Classical message- 
authentication methods can be combined with quantum 
teleportation to make the authentication of quantum in- 
formation possible. However, it is not yet clear whether 
this procedure is optimal in the resources it requires. In 
this paper we study the authentication of elementary 
quantum messages (qubits) using minimum-size keys. 
Specifically, we have generalized a previous class of quan- 
tum authentication protocols to the case of one-qubit 
messages, and studied its security against a forger with 
quantum power and full access to the channel between 
the communicating parties. The main result of this study 
is that, unlike classical binary messages, the intrinsic na- 
ture of quantum information makes the authentication 
of one qubit using a minimal key impossible, i.e. it is 
not possible to keep the failure probability of the qubit 
authentication protocol below one. We are currently in- 
vestigating the minimum amount of quantum resources 
needed to authenticate a qubit, and the use of more gen- 
eral quantum operations (TPCP maps) in the encoding 
and decoding actions. Our results will be published else- 
where. 
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APPENDIX A 



From the equality of the blocks resulting from multiply- 
ing by |0)(1| T and |l)(Q|r both sides of U f £ A £ U £ = B £ , 
we obtain the equations: 



^11^11 + ^00^00^01 = 0, 
Ul l A ll U w + Ul l A 0Q U m = Q. 



(A4) 
(A5) 



Since all the f/y blocks are invertible, we have the fol- 



lowing two expressions for An'- 



An = -U^U^AooUtnU^ 
= —U n U^AqqUoqU^ 1 



(A6) 



The second equality in this equation implies: 
AooUoiU^UwU^ 1 = U^UloUK'u^Aoo, that is, 
A m G = G^Aqq, with G = U 01 U n 1 U 10 U 00 1 . Using the 
following relation between the Uij blocks, derived from 
the unitarity of U £ , 



UlU 01 + ut a Uu = 



(A7) 



it 4- i 

we can write G = —U 00 U1 UiqU Q0 , so G is hermitian, 
and, therefore, Aqq and G commute. Any hermitian op- 
erator commutes with some unitary operator that is not 
a scalar multiple of the identity, so this gu aran tees Aqq 
exists. Given Aqq, we can obtain An from (A6). Now it 
remains to be shown that such An is also unitary. Com- 
puting the adjoint of the first expression in ( |A6| ) and 
multiplying it by the second, we obtain: 



In this appendix we show that, given a unitary opera- 
tor U £ , acting on a four-dimensional space £ — M ® T, 
and with the 2x2 blocks of its matrix representa- 
tion nonsingular, one (Eve) can always find two uni- 
tary, block-diagonal operators , A £ and B £ , such that 
U £ A £ U £ = B e . 

The explicit expressions for the operators in their block 
form can be written as: 



^4n^4ii — Un ^oi^oo^oo^io 1 ^!! ^oi^oo^oo^io 1 - 

(A8) 

From (A7), UnUm — —U^Uqo. Applying this result to 
the equation above leads to 



A^Au = -U n r> U^A^AooUooU^ 1 (A9) 
= -^n^oi^ot/io 1 = Un^UnU^U^ = I, 



i=0 j=0 

i 

A £ = ^2 A u <g> |«)(i|r, 

i=j0 

B £ = Y^ B H ® l*>(*k- 
i=0 



(Al) 

(A2) 
(A3) 



and, therefore, An is unitary. 

As for £?oo and flu, they can be obtained, in terms 
of Aqq and An, from the equality between the blocks of 
B £ , when both of its sides are multiplied by 
\t and |l)(l|r- Their unitarity is proven in a similar 
way. 



u\a £ xj £ 



